NTP Bug 3383

NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)

  • Date Resolved: 21 Mar 2017
  • References: Sec 3383 / CVE-2017-6452 / VU#325339
  • Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
  • CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
  • CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
  • Summary: The Windows installer for NTP calls strcat(), blindly appending the string passed to the stack buffer in the addSourceToRegistry() function. The stack buffer is 70 bytes smaller than the buffer in the calling main() function. Together with the initially copied Registry path, the combination causes a stack buffer overflow and effectively overwrites the stack frame. The passed application path is actually limited to 256 bytes by the operating system, but this is not sufficient to assure that the affected stack buffer is consistently protected against overflowing at all times.
  • Mitigation:
  • Credit: This weakness was discovered by Cure53.

This topic: Main > SecurityNotice > NtpBug3383
Topic revision: r1 - 2017-03-22 - 01:35:17 - HarlanStenn
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback